TraceSecurity CTO Jim Stickley: Robbing Banks With Impunity

TraceSecurity is a security-compliance firm that assists financial institutions with protecting their customer's personally identifiable information -- sometimes by attempting to break into their networks. "A few years ago this type of service was much like trying to sell ice to Eskimos," said CTO Jim Stickley. "Now people call us. They realize the need for security."

Jim Stickley, CTO of TraceSecurity makes his living sneaking into other peoples' businesses and leaving with their data.

Stickley robs banks, but unlike conventional thieves, he is not after what is locked inside the vault. Instead, he steals personally identifiable information such as names, addresses, Social Security numbers, credit card numbers and passwords.

However, he never has to worry about getting caught or going to jail. On the contrary, corporate brass hire him to break in. When he does, the workers that unknowingly let him in learn a valuable lesson about data security.

As cofounder of TraceSecurity and its vice president of engineering, Stickley thrives on the security shortcomings of both large and small corporations. When he and his team of stealth hackers go to work, they can count on being successful.

Human nature never lets them down.

Privately-held TraceSecurity is a security-compliance firm that assists financial institutions with protecting their most valuable asset -- their customers' personally identifiable information. The company's enterprise software helps customers satisfy national and international data security compliance requirements mandated by such regulations as Sarbanes-Oxley, GLBA and HIPAA.

Over 400 global enterprises in the financial services, insurance, energy, government, manufacturing and services industries hire Stickley's firm to continually monitor and improve the computer security of their companies.

The E-Commerce Times discussed with Stickley the social engineering and hacker tricks he uses to test the level of safety -- or lack thereof -- surrounding his clients' most sensitive customer and corporate data.

E-Commerce Times: How much of a demand is there for the kind of white hat hacking TraceSecurity offers?

Jim Stickley: The company has a team of hackers who do these projects with me. A few years ago this type of service was much like trying to sell ice to Eskimos. Now people call us. They realize the need for security.

Any kind of business or facility with critical data to protect needs security monitoring. Our typical clients are law firms and financial institutions.

ECT: How much of a challenge do you confront? After all, aren't corporations well aware of the need for data security?

JS: Being able to walk off with key corporate data that officials assumed was iron-clad safe is the Holy Grail of security.

We do both external hacking and physical break-ins. Often, we pose as a fire inspectors, fire marshals, even elevator repairmen. We are constantly coming up with new ways to get inside a business.

ECT: You describe the scenario for the types of plots we watch on TV and movies. How dangerous is it to do what you pull off?

JS: Upper management hires us. Key groups of executives, usually three to five people, know that we are setting them up. When we have accomplished our tasks, we meet in a prearranged location to turn over the actual information we acquired. We always have the authenticating credentials with us in case somebody does not believe us. We always have our get-out-of-jail-free documents with us.

ECT: How do you actually compromise a corporate office or a bank's computer system?

JS: On the physical side, about 80 percent of all security breaches involve lapses in access policies. We usually have a back story to tell as we acquire the company's background. We make it look like we're supposed to be there. Once we are inside, the people who should know better than to leave us alone don't escort us from place to place.

One of my common ruses when a company official does hang around is to feign sickness and ask to be taken to the bathroom. Nobody ever wants to wait around for 15 minutes or a half an hour for somebody to get over being sick. So they leave me alone. Then I can go wherever.

I always have a collection of reasons to make my escorts go away. It can be something very simple like getting me a cup of coffee or more involved such as finding an associate who I insist be present.

People in the company who are supposed to be responsible for watching us need to be diligent to follow up. Most usually aren't.

ECT: Compared to physically breaking into a building, how much harder is it to slip into a corporation's computer network?

JS: On the remote access side, the easiest way to hack into a system is to go after the employees. Trojan exploits are one of the surest and simplest ways to gain access. I write many of the Trojan scripts myself.

We hide a Trojan script in an e-mail. When the employee responds or provides requested information, we are able to enter the network undetected.

Another access ruse is to take advantage of when people make mistakes on a Web site design. Cross site scripting and sequel injections are two very handy exploits into a corporate network. People within the company never test for these things. It only takes a single coding flaw. People just don't realize how really simple it is to get in.

ECT: What are cross site scripting and sequel injections?

JS: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications which allow code injection by malicious Web users into the Web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. The main risk of cross site scripting is that an attacker can steal cookies from a PC.

SQL injection allows a hacker to deliver a malicious command to a server through a Web browser in a remote place and hijack the server.

SQL injection is a technique for exploiting Web applications that use client-supplied data in SQL queries, but without first stripping potentially harmful characters. SQL injections allow you to run commands on the database and pull any piece of data from that database or put data into the database.

ECT: How can banks and other companies avoid this kind of data theft?

JS: Protecting against this type of entry comes down to training employees about how easy it is to Trojan a single desktop computer. Once a single computer at somebody's workstation is compromised, the network falls like dominoes.

ECT: How expensive is it to hack-proof a business?

JS: Pricing for our service ranges from (US)$5,000 to $7,000. The cost is based on the size of the company. But the cost factor is all relative to the value of the corporate data that can be compromised.